Redis LUA Exploit

Severity

High

Vendor

Redis

Versions Affected

Redis 3.0.1 or older

Redis 2.8.20 or older

Redis 2.6.x

Description

It was discovered that it is possible to break out of the LUA sandbox in Redis and execute arbitrary code. The user must have access to the Redis process to connect and execute the exploit to take advantage of the vulnerability.

Whilst all Redis instances are password protected and thus protected on the basis only authenticated users have access, new releases will be made available that contain the patched version of Redis.

Affected Pivotal Products and Versions

Severity is
high
unless otherwise noted.

Redis for Pivotal Cloud Foundry 1.4.4 or less

Mitigation

Users of affected versions should apply the following mitigation:

A new release of Redis for Pivotal Cloud Foundry will be released which includes Redis 2.8.21 which resolves this vulnerability